National Society of Accountants for questionaires and conference calls ... Operations Risks to property and people ... Strategic Risk Operational & Process Risk

©20

12 CliftonLarsonA

llen LLP

©

A Practical & Tactical Approach to Implementing Enterprise Risk Implementing Enterprise Risk

Management (ERM)

National Society of Accountants forNational Society of Accountants for Cooperatives (NSAC)

Jennifer Leary, Partner – National Risk Management

©2012 CliftonLarsonAllen LLP1 111

Speaker Bio – Jen LearyJennifer (Jen) Leary, CPA, National Partner – Risk Management for CliftonLarsonAllen

Jen is a National technical partner in CLA’s Business RiskServices consulting practice. She has more than 16 years ofexperience serving clients in a variety of industries on bothinternal and external audit engagements and in variousinternal and external audit engagements and in variousconsulting roles.

Her professional background includes over a decade with an international accounting firm serving clients in the U S andinternational accounting firm serving clients in the U.S. and throughout Europe and Asia. She is also a noted speaker on various topics and trainer of our internal and external teams including Enterprise Risk Management , Internal Controls Process Improvement, Contract Compliance and Acquisitions Consulting.

©2012 CliftonLarsonAllen LLP2

Agenda Topics

1. Briefly summarize ERM (the “technical”)

2. Understanding the ERM maturity model and where you may fit (the “practical”)and where you may fit (the practical )

3. Developing an action plan for implementation (the “tactical”)

4. Questions & Answers4. Questions & Answers


PART ONE OF FOUR

Briefly summarize ERM

(the “technical”)(the technical )


Why Discuss ERM?

All entities face inherent risk and uncertainty, and the challenge for management is to determine what level of risks to accept as it strives to grow and deliver value, and what costs to incur to manage/mitigate risks throughout the process.


What Is Risk Governance?

Directors and management evaluatingmanagement evaluating, monitoring and improving their processes

Compliance

improving their processes for overseeing the company’s framework of

Risk

company s framework of risk assessment and risk management activities

Governance

management activities.


Increasing Demand for Enhanced Governance and Risk Oversight

• 2012 Dodd‐Frank Act Rules

o compensation committee independence

o disclosure of pay‐for‐performance, pay ratios, and hedging by employees and directors

o recovery of executive compensation

o reporting over conflict minerals essential for business

o disclosure of government payments to resource extraction issuers, companies engaging in commercial development of oil, natural gas, and minerals

• 2010 SEC Rules to Enhance Corporate Governance Disclosures• 2010 SEC Rules to Enhance Corporate Governance Disclosures

o director and nominee qualifications and legal proceedings

o diversity and director nominations

o board leadership structure and role in risk oversight

o accelerated disclosure of shareholder voting resultso accelerated disclosure of shareholder voting results

• COSO – Enterprise Risk Management Framework

o Provides an organizational scope, emphasis, and program to broaden risk management to an enterprise‐wide emphasis and integrate into corporate strategyp g p gy

• Sarbanes‐Oxley, 2002

o Calls for enterprise‐wide documentation and testing of controls over financial reporting risk


Many organizations’ response is to enhance their corporate governance processes by developing and implementing an Enterprise Risk Management process

Evaluating Risk Information: AON 2011 Survey Source: www.aon.com

Industry Sources of Identified Risk

Board Input and Scenario Planning

7%External Service Providers

8%

Other11%

Senior Management Intuition and Experience

8%

42%Business Unit registers Key Risk Indicator

32%


Risk Information – AON Survey Source: www.aon.com

Top 10 Risks Facing Organizations:1. Economic Slowdown

2. Regulatory/legislative changes

3 I d titi3. Increased competition

4. Damage to reputation and brand

5. Business interruption5 us ess te upt o

6. Failure to innovate/meet customer needs

7. Failure to attract or retain top talent

8. Commodity price risk

9. Technology failure/system failure


10. Cash flow/liquidity risk

PART TWO OF FOUR

Understanding the ERM maturity model and where you may fit y y

(the “practical”)


How Are Organizations Implementing?Based on a GAIN Benchmark Study (IIA), the Status of ERM integration

efforts are as follows:

D i d d/ ERM Specific Initiatives Designed and/or Implemented

Periodic enterprise risk assessments performed 52%

Risks aggregated at the corporate level 49%

Enterprise-wide established policies and risk committees 30%

Risk management integrated into business initiatives 30%Risk management integrated into business initiatives 30%

Enterprise risk dashboard 30%

Risk training and knowledge sharing programs 26%

Enterprise wide risk tolerance levels andrisk limits consistent 20%

Risk tolerances linked to strategic objectives 12%


A Model for Evaluating Risk Management Capability

1. How capable is your Organization today to manage its risk profile? 2. How capable does it need to be?3. How can it get to its desired state?

• Tone set at the top

• Policies procedures

• Integrated response to adverse events

• Performance

• Built into decision‐making

• Conformance with enterprise risk

g

• Ad‐hoc / chaotic; depends primarily on individual

• Reaction to adverse events by specialists

• Discrete roles established for small set of risks

• Policies, procedures, risk authorities defined and communicated

• Business function

P i il lit ti

• Performance linked metrics

• Rapid escalation

• Cultural transformation underway

management processes is incentivized

• Intelligent risk taking

heroics, capabilities and verbal wisdom • Typically finance,

insurance, compliance

• Primarily qualitative

• Reactive

underway

• Bottom‐up

• Proactive

• Sustainable

• “Risk management is everyone’s job”

1: Tribal & Heroic

2: SpecialistSilos

3: Top‐Down

4: Systemic 5: Risk

Intelligent

U d d Ri k Rewarded Risk


Un‐rewarded Risk

IMA Maturity Model for ERM


PART THREE OF FOUR

Developing an action plan for implementation p

(the “tactical”)


DISTINCT ERM ROADS AVAILABLE

Option 1 ‐ Implementing a Full‐Scale ERM Model

l i f ll f h d ib d d‐ Implementing a full program as further described and documented through facilitated sessions, documentation and meetingsdocumentation and meetings

Option 2 ‐ Implementing an ERM‐Lite Model

‐ Implementing a top‐level assessment using surveys, interview questionaires and conference calls

Option 3 ‐ A hybrid (customize your own model including “the best of both” for your organization


A Typical Framework for Implementation

Phase 2 Phase 3 Phase 4Phase 1

Assess

Assess enterprise risks and k

Recommend

Detailed d ti t

Implement, Operate & Continuously Improve

Buy‐InUnderstand, Accept,

risk management capability

recommendations to resolve capability gaps in effectiveness & efficiency

Implement sustainable IERM capabilities

Value Proposition Pilot test Define authorities, requirements, Deploy tools

Commit to Pilot

Value Proposition

Clarify needs & expectations

Executive awareness and commitment

Agree on scope criteria

Set risk appetite and key

performance metrics

Assess vulnerability to selected key risks

Qualify before quantify

Define authorities, requirements, resources

Design sustainable process

Identify capabilities for design

Design change management

Proof of Concept

Deploy tools

Train personnel

Monitor & Report

Integrate into core management processes

Change managementAgree on scope, criteria, process

Establish IERM as a priority

Communicate

y q y

Assess interactions and risk experience

Assess current capabilities

Develop risk profile

Identify gaps & set priorities

Proof of Concept

Decision to proceed Change management

Continuously improve


Identify gaps & set priorities

Questions Process Owners Should be Able to Answer

For each of your risks:

H d hi i k l hi i bj i ?• How does this risk relate to achieving your objectives?

• What is the organization’s appetite for risk or what is its tolerance for deviating from expected results?

• What is your state of preparedness?

• How do you know? How confident are you?

• What are the risks where you really need to improve our risk management?

• Which of these risks are most likely to occur and why?

• What is your overall risk mitigation plan?• What is your overall risk mitigation plan?

• How will you monitor the effectiveness of the plan?

• Are there other risks on or over the horizon that you need to start to prepare for now?


Most organizations rely on multiple sources for answersHowever, risk oversight and an integrated approach is usually lacking

General Counsel Finance

Internal Control, Disclosure, Credit,

I t l A dit

Legal and Intellectual Property, , ,

Liquidity, Commodity, Risk Analytics & Modeling Compliance and Ethics

Ethics and Business Conduct, and Regulatory Compliance Risks

B i D l t

Information Management

IT Security, Data Integrity, Information Adequacy, Business

Process/Continuity Risks

Internal Audit

Risk informed audits, risks to internal control, key exposures and

vulnerabilities, and assurance

Regulatory Compliance Risks

Business Development

Market and Strategy RisksSecurity

Risks to property and peopleOperations

Insurance

Property, Casualty, Liability, and Hazards

Quality of care, Customer Relations, Market and Pricing, Competitive,

People/Process/Asset Performance, Environmental and Safety Risks


ERM provides a means to better understand, communicate and respond to the risk knowledge that exists in the organization

An Integrated ERM Approach

RISK OVERSIGHT & INSIGHT Board & Executive Management

Alternatives, Decisions, Scenarios & Events

ENTERPRISEVALUE

ENTERPRISE RISKS

GOVERNANCEEthics/Decision AuthorityOversight/Independence

Strategy & Execution

RiskTaking

STAKEHOLDERVALUE

Oversight/IndependenceCompensation/Other

STRATEGYStrategic Plan/Acquisitions/ Divestitures Succession PlanningBrand/Marketing /PricingReputational

PeopleProcess

Technology

ReportingRisk

Avoidance

Operations Risk

AvoidanceRevenueGrowth

OPERATIONSService DeliveryInventory ManagementStaffing and EmploymentQuality StandardsCost Management

INFRASTRUCTURECompliance

Risk Avoidance

OperatingMargin

AssetEfficiency

INFRASTRUCTUREComplianceFinance & Accounting TaxInformation TechnologyInsurance BCPSafety/Physical SecurityL l/IP/Liti ti

Expectations

Legal/IP/LitigationEnvironmental / Other

EXTERNAL FACTORSCompetition/Economic ConditionsGeo‐political/RegulatoryActivism/Public SafetyNatural Disasters/OtherSTAKEHOLDER VALUE


Rewarded risk can drive value. Unrewarded risk can destroy value.

Natural Disasters/OtherSTAKEHOLDER VALUE

Top 10 Steps of Implementing an ERM Program

1. Obtain Executive Team and Board of Directors Buy‐In and Support– Hold a meeting to discuss ERM and the Organization’s need to implementHold a meeting to discuss ERM and the Organization s need to implement

– Assign risk governance oversight responsibility

– Assign a Chief Risk Officer – A “champion” within the Organization

– Communicate requirements of ERMCommunicate requirements of ERM

2. Define the elements of your ERM program in simple, clearly defined terms– Remember, risk is neutral. It can be either positive (an opportunity) or negative

(an issue).

– Risk – The possibility of an event occuring that would negatively affect the achievements of objectives.

k l l f k l l bl h d ’ l– Risk Tolerance – Levels of risk clearly established in an Organization’s internal environment.

– Opportunity – Attempting to increase the Organization’s value by taking on risk.

Risk Appetite The level of risk that an Organization is willing to take on as part


– Risk Appetite – The level of risk that an Organization is willing to take on as part of its process to set objectives.

Illustrative ERM Roles & Responsibilities

Party ResponsibilityMonthly or as

Needed Quarterly Semi-annually

Board / Audit Committee

Establish risk appetite; Review enterprise risks

Review all relevant riskCommittee Review enterprise risks

Executive Management(select group or working committee)

Set policy, prioritize and allocate resources for overall corporate risks

Review risks and allocate resourcesProvide guidance for significant new risks

Review risks and allocate resources

Review risks and allocate resources; report updates to Board / Audit Committee

ERM Team(PMO, Council, Committee, etc.)

Manage process, tools and data

Coordinate and assist Assist with reporting and review

Assist with reporting and review Monitor program effectiveness

Division A Identify assess & Report/escalate Report all Review risks with Division A Management Team

Identify, assess & monitor risks relevant to division

Report/escalate significant new risks

Report all relevant risk

Review risks with Executive Management

Division B Management Team





Team division

Division C Management Team





f


Corporate Management Team

Identify, assess & monitor risks relevant to corporate functions





3. Determine your Organization’s Risk Tolerance

‐ How much risk is this organization willing to accept? High? Low? Moderate?How much risk is this organization willing to accept? High? Low? Moderate?

‐ How does your strategic plan fit in?

4. Determine Materiality ranges at the entity level and by business units, as applicable

For Example:For Example:

Measure Low‐End of Range High‐End of RangeRevenue 1% 5%Revenue 1% 5%Assets 0.25% 0.50%Equity 1% 5%



5. Identify a Risk Inventory Library with the help of a facilitated session

6. Determine the probability of significant risks occuring and their magnitude

7 Determine how risks will be managed7. Determine how risks will be managed

8. Develop a detailed Activity‐level Risk Assessment

9. Confirm and develop the level of reporting needed by Executive Management and the Board of Directors

10. Establish communication protocal & management of the on‐going ERM process


Overall Risk Profile – Library IndexComplianceFinancial/

Reporting RiskOperational & Process RiskGovernance & Strategic Risk

Strategic Risk Operational & Process Risk Financial/ Reporting Risk

Compliance

Business Model Innovation Customer Satisfaction

Environmental Interest Rate `

Regulatory ReportingSatisfaction Reporting

Board Governance

Capital Availability

Human Resources

Health and Safety Currency Migrant Labor

Human Resource Political Product Development

Human Resources

PermanentEquity

International Trade Laws

Competition Legal Efficiency Outsourcing Commodity Product Safetyp g y g yIndustry

ConsolidationsIndustry Capacity Performance

Incentives Liquidity Anti-Trust

Energy & Material Costs Ethics Scalability

Information Technology

Integrity

Concentration Customer/

Credit/Other I f iBudget and

Planning Succession

PlanningCommodity Contracting

Information Technology Availability

Collateral

Product Availability

Image and Branding Partnering

Information Technology -

InfrastructureCash Flow

Infrastructure Contract

Commitment Reputational Product/Service

Failure Fraud & Illegal

ActsOpportunity Cost

Investment Valuation

Catastrophic Loss Business Interruption

Internal Control Environment

Resource Pensions &


Availability Health/WelfareFinancial

Reporting

Major Types of IT Risk and IT Risk Areas

IT Computing Environment• Hardware, Software

• System interfaces, Databases

• System and data criticality (system’s importance to the organization) & sensitivity

• Data backup and recovery process

Logical Access• Password Administration

• Direct and Physical access to data, data centers/facilities/equipment

• Lack of segregation of duties

Network Security and Availability

• System security policies & architecture

Operational Environment of IT systems• Functional requirements of IT system


• Functional requirements of IT system• Users of the IT system• Management of data changes

Risk Rankings ‐ Framework

• We recommend utilizing a numeric risk ranking model as partWe recommend utilizing a numeric risk ranking model as part of the risk assessment

• Depending on the potential risk universe, to further delineate and differentiate risks, we recommend using the following:

• Likelihood• Likelihood

• Impact

• Tolerance

• Pervasiveness


Prioritized Risk Profile

High 1.Supply Chain: People2. Competitor3. Customer5 Availability

nce

5. Availability11. Infrastructure: Systems Utilization12. Alignment13. Customer: Payors14. Planning

15. Business Model16. Regulatory/Legal17 Communication

6. Infrastructure: Systems Development7. Customer: Employees8. Financial Markets9. Price10. Supply Chain: Capital

Sign

ifica

n 17. Communication18. Compliance

19. HR: Management20. Sovereign/Political21. Product/Service Development22. HR: Employee Capabilities

26. Access27. Ethics28 Performance Measurement

23. Reputation24. Accounting Information25. Budget & Planning

28. Performance Measurement29. Supply Chain: Materials30. Investor Relations31. Liquidity32. Leadership33. Business Interruption34. Authority Limit

36. Catastrophic Loss37. Unauthorized Use38. Credit39. Mission

HighLikelihoodLow

Lowy

35. Product/Service Pricing

High Moderate Low

40. Fraud41. Financial Reporting


1

High Moderate Low

Results – Sample Heat Map


Critical Success Factors

• Gain Board / senior executive commitment and involvement

• Establish management accountability and responsibilities

• Demonstrate tangible results and link to value objectives

• Build the process into the way the enterprise does business

• Obtain supporting charter, policies, and procedures

• Focus on the cultural/change management process

• Monitor and continuously improve• Monitor and continuously improve


PART FOUR OF FOUR

Questions and Answers


National Society of Accountants for questionaires and conference calls ... Operations Risks to property and people ... Strategic Risk Operational & Process Risk

Documents